Commission report warns U.S. is losing the spy race from lack of R&D, STEM-education

On Nov. 5, 2013, The National Commission for the Review of the Research and Development Programs of the United States Intelligence Community released an unclassified version of its assessment of U.S. research and development programs, finding that the U.S. is falling behind and highly uncoordinated. [The Report can be found here.]

The Commission making the review was originally constituted at the 9-11 Commission (properly The National Commission on Terrorist Attacks Upon the United States. In 2010, the Commission was reauthorized to serve more broadly on the Intelligence Community readiness.

The New York Times described the report as “blistering … charging that the intelligence world’s research-and-development efforts are disorganized and unfocused.”

The Commission said the lack of investment, coordination, infrastructure and foresight is putting the nation at risk.

U.S. technological superiority is diminishing in important areas, and our adversaries’ investments in [Science and Technology]—along with their theft of our intellectual property, made possible in part by insufficient cyber protection and policies—are giving them new, asymmetric advantages. The United States faces increasing risk from threats against which the IC could have severely limited warning, deterrence, or agility to develop effective countermeasures.

The report is not primarily an intelligence report. The Commission was not focused on the failures associated with the NSA massive – and in some cases unconstitutional – spying campaign. Nor was it tied to the Edward Snowden disclosures and the global embarrassment triggered by those disclosures.

Instead, the report identifies the need to treat intelligence as a global issue that needs broad reforms, such as STEM education and immigration/workforce reform. It identifies a wide range of concerns about the lack of investment in intelligence and the failure to be prepared.

The report calls for much greater data analytics, which will likely be the platform used by the NSA to justify its ongoing activities. Even a pro-intelligence report such as this, however, identifies the need for intelligent data analytics rather than the massive, undifferentiated and largely counter-productive methods currently highlighted by the NSA disclosures. Not surprisingly, the admonitions also demand better coordination, including “development of a new joint program plan between the Director of Science and Technology and the Deputy Director of National Intelligence for Intelligence Integration for Enhanced Integrated Intelligence, which it will use to track, prioritize, and coordinate Enhanced Integrated Intelligence R&D across the [intelligence community].”

“Exacerbating these challenges are U.S. policies that weaken the U.S. R&D talent base,” the report warned.  “As scientific and technical knowledge and the resulting economic growth spread around the world, the competition for R&D talent is increasingly global.”

This is just one of many reports highlighting the continued disarray of the intelligence community, an infrastructure struggling to keep up with cyber-threats and embarrassing the U.S. with political follies.

The report opens with a powerful juxtaposition of quotes that should help guide future discussions:

Failure to properly appraise the extent of scientific developments in enemy countries may have more immediate and catastrophic consequences than failure in any other field of intelligence.

—Task Force Report on National Security Organization (the Eberstadt Report) (1948)

Failure to properly resource and use our own R&D to appraise, exploit, and counter the scientific and technical developments of our adversaries—including both state and non-state actors—may have more immediate and catastrophic consequences than failure in any other field of intelligence.

—National Commission for the Review of the Research and Development Programs of the United States Intelligence Community (2013)

Report of the National Commission for the Review of the Research and Development Programs of the United Sta…

Cyber Defense Strategies and Responsibilities for Industry Call for Papers Now Open

The Northern Kentucky Law Review and Salmon P. Chase College of Law seek submissions for the third annual Law + Informatics Symposium on February 27-28, 2014.

2014 Law + Informatics Symposium on

Cyber Defense Strategies and Responsibilities for Industry

 The focus of the conference is to provide an interdisciplinary review of issues involving business and industry responses to cyber threats from foreign governments, terrorists, and corporate espionage. The symposium will emphasize the role of the NIST Cybersecurity Framework and industries providing critical infrastructure.

The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues cybersecurity and informatics law as it applies to corporate strategies and the obligations of business leaders. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics relating to the theme, such as the following:

Cyber Warfare Rules of Engagement Offensive and defensive approaches Responses to state actors Engagement of non-state actors Distinguishing corporate espionage from national defense Proportionality and critical infrastructure Cyber diplomacy Cold War footing and concerns of human rights implications Front Lines for Industry Role of regulators such as FERC Legacy systems and modern threats NIST guidelines NIST Cybersecurity Framework Engaging Dept. of Homeland Security Implications on various industries (electric power,  telecommunications and transportation systems, chemical facilities) Health and safety issues

Global Perspectives Concepts of cyber engagement in Europe Perception of Internet and social media as threat to national soverignty Rules of engagement outside U.S. and NATO Implications for privacy and human rights Stuxnet, Duqu, Gauss, Mahdi, Flame, Wiper, and Shamoon Cyber engagement in lieu of kinetic attacks or as a component of kinetic engagement   Corporate Governance Confidentiality and disclosure obligations Responsibilities of the board of directors Staffing, structures and responses Data protection & obligations regarding data breaches Corporate duty to stop phishing and other attacks for non-critical industries Investment and threat assessment Litigation and third party liability   Other Issues Executive orders and legislative process Lawyer responsibility in the face of potential threats Practical implications of government notices Perspective on the true nature of the threat

Submissions & Important Dates: 

• Please submit materials to Nkylrsymposium@nku.edu
• Submission Deadline for Abstracts: September 1, 2013
• Submission Deadline for First Draft of Manuscripts: January 1, 2014
• Submission Deadline for Completed Articles: February 1, 2014
• Symposium Date: February 27-28, 2014

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish papers from the symposium in the 2014 spring symposium issue.  Papers are invited from scholars and practitioners across all disciplines related to the program. Please submit a title and abstract (of 500-100 words) or draft paper for works in progress. Abstracts or drafts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Presentations (without publication) based on Abstracts:  For speakers interested in presenting without submitting a publishable article, please submit an abstract of the proposed presentation. Abstracts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Publication of Corporate Handbook on Cyber Defense: The Law + Informatics Institute may edit and publish a handbook for corporate counsel related to the topics addressed at the symposium. Scholars and practitioners interested in authoring book chapters are invited to submit their interest by September 1, 2013 which may be in addition to (or as an adaptation of) a submitted abstract for The Northern Kentucky Law Review. Submissions may be accepted on a rolling basis after that time until all chapter topics are filled.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

• Professor Jon M. Garon, symposium faculty sponsor and book editor: garonj1@nku.edu or 859.572.5815
• Lindsey Jaeger, executive director: JaegerL1@nku.edu or 859.572.7853
• Aaren Meehan, symposium editor, meehana2@mymail.nku.edu or 859-912-1551

Fourth Circuit Joins Ninth in Limiting CFAA – Setting Stage for More Action

In 1986, Congress amended its earlier attempt to combat computer crime with the Computer Fraud and Abuse Act of 1986. It was further expanded in 2001 under the USA Patriot Act. The CFAA serves as both a criminal and civil statute.  It has both strong criminal penalties for unauthorized entry into computer systems and provides an express private cause of action – enabling injured parties to sue intruders using the federal law as the basis for their claims.

The most controversial aspect of the CFAA has been the meaning of unauthorized access. Among the violations, Congress has made it a crime to “intentionally accesses a computer without authorization or exceeds authorized access….” The statute provides some additional guidance. The addition of exceed has its own definition. It means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” § 1030(e)(6). So it seems fairly clear that using one’s password to acquire documents for which one has no right to read is a violation of the statute.

But data theft is more nuanced than just this. What about downloading documents when the person downloading has authority to use the material, but then uses that material in an unauthorized manner. Put another way – if an employee is fired and then takes the files she has had at home and brings them to her next employer, it is unlikely an CFAA claim can be made. Conversely, if she returns to work the day after being fired and downloads all the company documents, she has certainly violated the CFAA since her termination ending her authorized access to the computer. But what about the situation when one downloads the documents intending trade secret theft prior to being fired or quitting the company?

In a recent Fourth Circuit opinion, WEC Carolina Energy Solutions LLC v. Miller, 2012 U.S. App. LEXIS 15441 (4th Cir. July 26, 2012) faced this situation.

The court explained the split of authority interpreting the statute:

In short, two schools of thought exist. The first, promulgated by the Seventh Circuit … holds that when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it. Thus, for example, the Seventh Circuit held [in Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006)] that an employee who erased crucial data on his company laptop prior to turning it in at the end of his employment violated the CFAA. It reasoned that his “breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”

The second, articulated by the Ninth Circuit … interprets “without authorization” and “exceeds authorized access” literally and narrowly, limiting the terms’ application to situations where an individual accesses a computer or information on a computer without permission. Thus, in [United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc)] the Ninth Circuit, sitting en banc, held that the defendant’s coconspirators, a group of employees at an executive search firm, did not violate the CFAA when they retrieved confidential information via their company user accounts and transferred it to the defendant, a competitor and former employee. It reasoned that the CFAA fails to provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded.

The Fourth Circuit opinion attempts to make sense of the language with a simple, plain language approach. “Congress has not clearly criminalized obtaining or altering information ‘in a manner’ that is not authorized,” the court explained. “Rather, it has simply criminalized obtaining or altering information that an individual lacked authorization to obtain or alter.”

This separates the Fourth Circuit from the Seventh Circuit and even distinguishes it somewhat from other courts. Employees who hack into their employers’ computer systems to steal data or who use the username and password of other employees to gain greater access to computer systems will remain liable under the CFAA. But those who take electronic files home to work on them at night without express permission were beyond the scope of the CFAA. Similarly, those disgruntled employees who steal electronic files while on the job may be violating their terms of employment, company policies, and state laws but they are not violating the CFAA in the Fourth Circuit.

Since it is better that the interpretation of a statute does not turn on the language in the employee handbook, this is a better result. Companies can still protect themselves by limiting access to sensitive information. Other laws protect theft of trade secrets and other torts provide remedy for breach of fiduciary duties. On the other hand, the distinction between the circuits need not be as stark. An employee who erases all company data before returning equipment has likely exceeded the authority to alter the data. This result is consistent with the outcome in the WEC and a court can still reach such misconduct under the cleaner interpretation of the Fourth Circuit.

While it remains to be seen whether the Fourth Circuit opinion invites Supreme Court review, it may be sufficiently well reasoned to invite other circuits to reconsider interpretations of the statute that go beyond the language Congress enacted.

CFAA only for hacking – at least in the West

In U.S. v. Nosal __ F.3d __ (2012), the Ninth Circuit made clear that it considers the scope of the Computer Fraud and Abuse Act to be focused specifically on computer hacking rather than more broadly related to violations of corporate policies and terms of service agreements.

The case arose out of a minor bit of corporate espionage – and the hubris and stupidity that often accompanies such activities. David Nosal, former employee at the executive search firm of Korn/Ferry, “convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business.”  The Korn/Ferry employees used their access to the system to download confidential information, including source lists, names and contact, which they emailed to Nosal. They were all caught. The government indicted Nosal was on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA.

Although Nosal did not violate the CFAA, he was charged with aiding and abetting those former colleagues who did. The aiding and abetting count rests on whether the conduct of Nosal’s former colleagues violated the CFAA when they used their authorized access to the confidential database to violate the terms of confidentiality and theft of trade secrets.

Writing a clear, rather stinging rebuke of the government’s position, Judge Kozinski explained that the section of the CFAA is limited to computer hacking, not every violation of use.

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).

This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed[] authorized access” if he looks at the customer lists.

Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.

… The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. … The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.

… Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. … Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.

There are a number of subsections of the CFAA and the government takes the position that the broad interpretation this provision is limited by the need to prove an intent to defraud. In those other sections of the CFAA where intent to defraud is not required, the statute’s scope can still be more limited. But the Ninth Circuit points out that the language of the offense is the same such that a different scope in the same statute for the same phrase is unworkable.

The Ninth Circuit remains at odds with decisions in other circuits. Eventually either Congress or the Supreme Court will need to reconcile this increasingly important tension in the CFAA. For now, one’s exposure to federal criminal prosecution depends, at least in part, on where one accesses the computer.

LII Presents Ethics in Informatics Program on proposed changes to ABA guidelines and SEC Technology Guidance

Information and registration for our next even is now available.

Ethics in Informatics:

Changing Ethics Rules and New SEC Guidance Redefine the Competency of the Lawyer

featuring

Dean Dennis R. Honabach, Chair of the ABA’s Standing Committee on Professionalism

Professor Jon M. Garon, Director of the NKU Chase Law & Informatics Institute

Friday, May 4, 2012

Cincinnati, Ohio

The practice of law has largely gone digital in the past decade.  In response, the American Bar Association’s Commission on Ethics 20/20 is examining technology’s impact on the legal profession.  It has proposed a revision to the Model Rules of Professional Responsibility to make explicit the affirmative duty to prevent “the unintended disclosure of, or unauthorized access to, information relating to the representation of a client” to data privacy, security and reliability.  Not to be outdone, the Corporate Finance Division of the Securities and Exchange Commission has taken steps of its own to require greater awareness, disclosure and reporting of issues relating to technological knowledge held by a company – including its lawyers.

This program provides attendees guidance on three key areas:

• The existing and proposed ethical rules regarding technologically mediated client confidentiality;
• The lawyer’s role in assisting clients meet their affirmative duties of disclosure; and
• The lawyer’s duties regarding social media and cloud computing in the context of client communications, ex parte communications, and interactions with the judiciary in social media and cyberspace.

Date:	Friday, May 4, 2012
Time:	7:30 a.m. to 9:35 a.m. Continental Breakfast will be served from 7:30 a.m. to 8:00 a.m.
Location:	Wood, Herron & Evans, Floor 36, 441 Vine Street, Cincinnati, OH 45202
Registration fee:	$99.00 for general public and $89.00 for alumni
CLE credits:	1.5 Ethics CLE in Ohio & KY
For more information:	www.lawandinformatics.org/breakfastseries
Online registration:	Register online
Fax Registration:	Download a fax registration form
Call in registration:	(859) 572-7853 to reach Admin. Dir. Lindsey Jaeger

Dean Dennis R. Honabach is the co-author of D&O Liability Handbook and the Proxy Rules Handbook. He has published law review articles on topics ranging from managerial liability and Enron to toxic torts and legal education. Dean Honabach is the chair of the ABA’s Standing Committee on Professionalism, the co-chair of the Business Law Education Committee of the ABA’s Business Law Section and a member of the Misconduct and Irregularities Subcommittee of the LSAC.

Jon M. Garon is an attorney and professor of informatics, entertainment, intellectual property and business law. He has extensive practice experience in the areas of entertainment law (including film, music, theatre and publishing), data privacy and security, business planning, copyright, trademark, and software licensing.

“Ethics in Informatics” is the first presentation in the Law & Informatics Breakfast Series, which will address various topics on privacy, data security, social media and ethics. These programs will be hosted in downtown Cincinnati. We are very grateful to the law firms of Wood Herron & Evans LLP, Frost Brown Todd LLC, Baker & Hostetler LLP and Dinsmore & Shohl LLP for their support as hosts for this coming year’s program.

                         

Cybersecurity Act of 2012 Puts Focus on the Shadow Wars

On February 14, 2012, a 205 page comprehensive new Cybersecurity Act of 2012was introduced in the Senate to address the growing concerns about cyber-warfare, cybersecurity, and cyber-terrorism. The bipartisan Cybersecurity Act of 2012 is co-sponsored by Senators Joe Lieberman (I-Ct), Susan Collins, (R-Maine) Jay Rockefeller (D-WV) and Diane Feinstein (D-Cal) to address the potential gaps in the critical U.S. infrastructure. As defined in the USA Patriot Act,

[T]he term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

The proposed law expands on the USA Patriot Act and existing presidential directives to provide sector-by-sector assessment, standards and regulations to improve these assets. Presently, the DHS provides utterly circular guidance on the existing directives. Hopefully, the new proposal will at least increase the awareness within these sectors for comprehensive security.

The proposed legislation defines ‘‘cyber risk’’ as “any risk to information infrastructure, including physical or personnel risks and security vulnerabilities, that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure.” The information infrastructure is the privately owned communications systems located in the U.S., presumably including everything from telephones and cable to Facebook and Google.

 Howard Waltzman suggests that a critical infrastructure system or asset may be deemed “covered” only if damage or unauthorized access to the infrastructure could lead to:

• The interruption of life-sustaining services (e.g. food, energy, or emergency services) sufficient to cause a mass casualty event or mass evacuations;
• Catastrophic economic damage to the United States, including failure or disruption of a US financial market or sustained disruption of a transportation system; or
• Severe degradation of national security capabilities.

Ninety days following the passing of the legislation, a sector-by-sector review of the critical infrastructure will provide a prioritized list of the most at-risk systems.

There are significant exemptions in the law to protect private vendors (perhaps security software companies, search engine providers, and social media networks) so that particular products cannot be singled out. Similarly, there is a weak attempt to provide free speech protections to the system and to protect technologies based solely on their ability to be used in critical infrastructure.

The timing of the legislation is particularly interesting in light of the recent cyber attack in Israel by a Saudi Arabian hacker and retaliatory credit card hacking by an Israeli against the Saudi banks.  Attacks against Google and US defense contractors allegedly by Chinese sponsored hackers raised similar concerns.

Moreover, a stealth war with Iran appears to be heating up, including the assassinations of government scientists and public officials, increased sponsorship of terrorism targeting soft targets, and heightened war rhetoric.

As with the SOPA and PROTECT IP Act, the critical issue will be focus on the primary risks rather than political maneuvering for legislators to prove who is the toughest on the perceived threat. The costs for upgrading critical infrastructure will likely be immense; the complexity will be monumental; and the challenges significant. Where our nation is at risk, these steps must be taken. But the process must include some caution and common sense so that the process is moderated and proportional to the outstanding threats.

PROTECT IP Act may be open to some Reasonable Amendments

In response to concerted objections to aspects of the PROTECT IP Act, legislation sponsor Senator Patrick Leahy (D-Vt.) announced by radio and press release that the sponsors may eliminate a controversial provision requiring Internet Service Providers (ISPs) to interfere with the Domain Name System as a technique to prevent consumer access to foreign websites deemed “rogue” or havens for pirated goods.

According to the press release, the Senate is set to hold a procedural vote January 24, 2012. With over 40 co-sponsors of the bill, the position may face internal opposition, but Senator Leahy remains an influential voice on such topics and in the Senate.

According to the press release:

The PROTECT IP Act provides new tools for law enforcement to combat rogue websites that operate outside our borders but target American consumers with stolen American property and counterfeits.  One of those tools enables law enforcement to secure a court order asking Internet Service Providers (ISPs) to use the Domain Name System to prevent consumer access to foreign rogue websites.  This provision was drafted in response to concerns that law enforcement has remedies it can take against domestic websites, but does not currently have the power to stop foreign rogue websites.  I worked closely with the ISPs in drafting this provision to ensure they were comfortable with how it would work, and I appreciate their support. …

I and the bill’s cosponsors have continued to hear concerns about the Domain Name provision from engineers, human rights groups, and others.  …  I remain confident that the ISPs – including the cable industry, which is the largest association of ISPs – would not support the legislation if its enactment created the problems that opponents of this provision suggest.  Nonetheless, this is in fact a highly technical issue, and I am prepared to recommend we give it more study before implementing it.

Though described as a balanced bill, the legislation and SOPA – the even more extreme House legislation – have split the intellectual property industries, with strong support from many in the creative community and nearly unanimous opposition from the tech industries. Even within the media industries, concerns run high and I have spoken to a number of publishers and media representatives who feel that the proposals will do more harm than good.

A hearing on SOPA designed to allow critics of the legislation to be heard is now scheduled for January 18th.

Senator Leahy’s announcement may be the first step towards slowing an otherwise out-of-control legislative disaster.

Business Law Today Features Rich Array of Cyberspace Issues

In the December 2011 of Business Law Today, The Cyberspace Law Section has weighed in with a series of articles discussing critical issues for online legislation, policy and security. The first is my introduction to the Protect IP Act and SOPA, the second focuses on international regulation, the third on the SEC move into disclosure of data threats, and the last on the internal regulations for updated policies.

All four articles are helpful and interesting. Please take a look.

As a postscript, let me point out that my article was intended to provide a neutral overview of the proposals currently before Congress. This was difficult for me to do. SOPA has a number of well-known problems and undermines data security. Moreover, the involvement of credit card companies and advertising companies will create a host of unintended consequences that will add to the cost of doing business while having only marginal impact on piracy. Nonetheless, the article was written to provide context to the current debate and help the public understand just how much additional regulation has been added in recent years.

New Legislation Renews Conflict Between Content Creators and Content Distributors
By Jon M. Garon

Business Interests Under Attack in Cyberspace: Is International Regulation the Right Response?
By Henry L. Judy and David Satola

The SEC Staff’s ‘Cybersecurity Disclosure’ Guidance: Will It Help Investors or Cyber-thieves More?
By Roland L. Trope and Sarah Jane Hughes

Going Mobile: Are Your Company’s Electronic Communications Policies Ready to Travel?
By Kathleen M. Porter

Law firm loss of computer drive highlights duty to protect firm data

Earlier this month, the Baltimore Sun and ABA Journal reported that the law firm of Baxter, Baker, Sidle, Conn & Jones lost a back-up hard drive containing 161 stent patient files. The firm properly recognized it should have off-site storage of its sensitive data to protect from risk of fire and flood but chose to have an employee take the drive home each night via commuter train.

According to the Baltimore Sun, “[t]he storage device held a complete back-up copy of the firm’s data, including medical records related to the stent malpractice claims, along with patient names, addresses, dates of birth, social security numbers and insurance information.”

The hard drive was password protected but not encrypted. While password protection provides some protection, it is a rather minimal level of protection. Law firms have a duty to protect confidential information both under their general ethical duties and under more specific state and federal laws. Here, the protected health information put at risk by the loss of the hard drive implicates regulations under HIPAA and the HIGHTECH Act.

Although it is unlikely the law firm is regulated as a health care provider, the law is much less clear whether the law firm must sign a Business Associate Agreement regarding the data. If the law firm was given access to the data on behalf of its client, then a Business Associate Agreement – and all the HIPAA data protection provisions – would be required. Where the data was collected in an adversarial matter from an opposing party, however, such a duty may not attach.

The niceties of HIPAA are only one of the problems. If the hard drive included all of the firm’s data, then there will be client names, and may also be client trade secrets and other confidential information.

The American Bar Association has recognized that lawyers have an ethical duty to take reasonable measures to protect a client’s confidential information from unintended disclosure and unauthorized access. In fact, a draft proposal will codify this existing obligation under a new ABA Model Rule 1.6(c).

1.6 (c) A lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.

Factors to be considered in determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

As illustrated by the lapse at Baxter, Baker, Sidle, Conn & Jones, security starts with the physical safeguard of data – in the firm, its physical files and its electronic storage. Trains, backpacks, and car seats are never good ideas for the systematic ongoing protection of data. Secure, encrypted off-site storage is no longer expensive and likely the minimum standard.

SEC provides guidance of disclosure of cybersecurity

Responding to a request from members of the Senate, the SEC has published official guidance regarding the obligation of publicly traded companies to address issues of economic consequences to cyber-attacks. The guidance, which does not have the binding authority of law or regulation, will still shape the decisions regarding the disclosure of public companies.

The obligation to report likely exists in the more general obligations of disclosing material risks for public companies, a point the guidance emphasizes.

“Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.”

For purposes of the disclosure, cybersecurity has been defined as “the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.” The definition cites Whatis?com available at http://whatis.techtarget.com/definition/cybersecurity.html.

The guidance illustrates the types of issues that can rise to material importance for the public.

Registrants that fall victim to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to:

• Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
• Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
• Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
• Litigation; and
• Reputational damage adversely affecting customer or investor confidence.

The need for guidance was triggered by a letter to the SEC Commission Chairperson, Mary Schapiro, on May 11, 2011 by five members of the Senate. The letter demanded better disclosure.

“In light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk. … Beyond our concerns about material information security risk, we believe that once a material network breach has occurred, leaders of publicly traded companies may not fully understand their affirmative obligations to disclose information on potentially compromised intellectual property or trade secrets.”

The new guidance is simply a reminder that the threats and the ramifications of network breach and theft of intellectual property have material implications on the value of publicly traded companies and as such, these issues must be addressed in the ongoing public disclosure of affected companies.